Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In devise at least reset tokens expire, so they'd need to have been set in the last day to be useful, which narrows that attack considerably doesn't it?


Why wait and not use it right away? If you have read access now you can exploit now.


Oh I see - you mean they have read access, then trigger password reset, then use the token straight away? That does mean they'd be firing off emails which would alert users though.


It would. They didn't do it probably because they didn't try this trick. But they could i think.


BTW actually new version of devise hashes tokens.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: